Technologies for providing policy-based secure containers for multiple enterprise applications include a client computing device and an enterprise policy server. The client computing device sends device attribute information and a request for access to an enterprise application to the enterprise policy server. The enterprise policy server determines a device trust level based on the device attribute information and a data sensitivity level based on the enterprise application, and sends a security policy to the client computing device based on the device trust level and the data sensitivity level. The client computing device references or creates a secure container for the security policy, adds the enterprise application to the secure container, and enforces the security policy while executing the enterprise application in the secure container. Multiple enterprise applications may be added to each secure container. Other embodiments are described and claimed.
Legal claims defining the scope of protection. Each claim is shown in both the original legal language and a plain English translation.
1. A client compute device comprising: trust agent circuitry to send device attribute information to an enterprise policy server, the device attribute information indicative of at least one of a hardware component of the client compute device or a software environment of the client compute device; and security management circuitry to: receive, from the enterprise policy server, an enterprise application, wherein the enterprise application is to access enterprise data; receive a security policy from the enterprise policy server, wherein the security policy includes a set of rules for control of behavior of the enterprise application; construct a secure container on the client compute device; and add the enterprise application to the secure container, wherein the secure container is to enforce the security policy while the enterprise application is executed on the client compute device.
This invention relates to secure enterprise application management on client compute devices. The problem addressed is ensuring secure access to enterprise data by applications running on potentially untrusted client devices, such as employee-owned or personal devices. The solution involves a client compute device with specialized circuitry to manage application security and compliance with enterprise policies. The device includes trust agent circuitry that sends device attribute information to an enterprise policy server. This information describes hardware components or the software environment of the client device, allowing the server to assess the device's trustworthiness. Security management circuitry then receives an enterprise application and a corresponding security policy from the server. The security policy defines rules for controlling the application's behavior, such as data access restrictions or execution constraints. The security management circuitry constructs a secure container on the client device and adds the enterprise application to it. The secure container enforces the security policy while the application runs, ensuring that enterprise data is accessed and processed according to predefined rules. This approach isolates the enterprise application from the rest of the device's environment, mitigating risks associated with untrusted or compromised devices. The solution enables secure enterprise application deployment on diverse client devices while maintaining compliance with organizational security policies.
2. The client compute device of claim 1 , wherein the device attribute information includes an indication of whether a user of the client compute device has root access to the client compute device.
A system for managing client compute devices includes a server that receives device attribute information from a client compute device. The device attribute information indicates whether a user of the client compute device has root access. The server uses this information to determine whether the client compute device meets predefined security criteria. If the criteria are met, the server grants the client compute device access to a network resource. If the criteria are not met, the server restricts access. The system ensures that only devices with appropriate security configurations, such as those without unauthorized root access, can access sensitive resources. The server may also enforce additional security policies based on other device attributes, such as software versions or hardware configurations. This approach enhances network security by dynamically assessing device trustworthiness before granting access. The system is particularly useful in environments where unauthorized root access could compromise security, such as enterprise networks or cloud-based services. The server may periodically re-evaluate device attributes to maintain ongoing compliance with security policies.
3. The client compute device of claim 1 , further including a security processor, wherein the security processor is a trusted hardware component.
A system for secure data processing in a client compute device addresses the challenge of protecting sensitive data from unauthorized access or tampering during computation. The device includes a security processor, which is a trusted hardware component designed to enforce security policies and perform cryptographic operations. This processor operates independently of the main processing unit, ensuring that security-critical functions are isolated from potential vulnerabilities in the primary system. The security processor may handle tasks such as authentication, encryption, and secure key storage, providing a hardware-based root of trust for the device. By integrating this trusted component, the system enhances data integrity and confidentiality, mitigating risks associated with software-based security measures alone. The security processor may also validate the integrity of firmware or software before execution, preventing unauthorized modifications. This approach is particularly useful in environments where data protection is critical, such as financial transactions, healthcare systems, or enterprise networks. The trusted hardware component ensures that security functions remain resilient against attacks, even if other parts of the system are compromised.
4. The client compute device of claim 1 , wherein to enforce the security policy, the secure container to disallow cut and paste for the enterprise application.
A system for securing enterprise applications on client compute devices involves a secure container that enforces security policies to protect sensitive data. The secure container isolates enterprise applications from personal applications, preventing unauthorized data sharing. One specific security policy enforced by the secure container is the restriction of cut-and-paste functionality for enterprise applications. This prevents users from copying sensitive enterprise data and pasting it into personal applications or external storage, reducing the risk of data leaks. The secure container monitors and controls clipboard access, ensuring that enterprise data remains within the secure environment. This approach enhances data security by limiting unintended or malicious data exfiltration through common user actions like copying and pasting. The system is designed for use in enterprise environments where strict data protection measures are required, such as in financial, healthcare, or government sectors. The secure container may also include additional security features like encryption, access controls, and audit logging to further protect enterprise data.
5. The client compute device of claim 1 , wherein the set of rules for control of behavior of the enterprise application includes a rule indicating whether to allow access to one or more network connections.
This invention relates to client compute devices managing enterprise application behavior through a set of rules. The technology addresses the challenge of controlling application access to network connections in enterprise environments, ensuring security and compliance while maintaining functionality. The client compute device includes a rule engine that enforces predefined rules to govern the behavior of enterprise applications. These rules determine whether an application can access specific network connections, such as internet, intranet, or other network resources. The rules may also specify conditions under which access is permitted, such as user authentication, device compliance, or time-based restrictions. The system dynamically applies these rules to prevent unauthorized network access, reducing security risks and ensuring adherence to organizational policies. The invention improves upon traditional methods by providing granular control over application network interactions, allowing enterprises to balance security with operational needs. The solution is particularly useful in environments where applications require varying levels of network access based on context, such as remote work scenarios or multi-tenant cloud deployments. By centralizing rule management, the system simplifies policy enforcement and reduces administrative overhead.
6. The client compute device of claim 1 , wherein the device attribute information includes a device-specific unique identifier.
A client compute device is configured to securely manage and process data by incorporating device attribute information, including a device-specific unique identifier. This identifier ensures that the device can be uniquely distinguished from others, enabling secure authentication, authorization, and data management. The device attribute information may also include additional attributes such as hardware specifications, software configurations, or operational states, which are used to enhance security, performance, and compatibility in distributed computing environments. The unique identifier allows the device to participate in secure communication protocols, ensuring that data transactions are authenticated and traceable. This feature is particularly useful in systems where device identity verification is critical, such as in cloud computing, IoT networks, or enterprise security frameworks. By integrating a device-specific unique identifier, the system can mitigate risks associated with unauthorized access, data breaches, and device impersonation, thereby improving overall security and reliability. The device may also dynamically update its attribute information to reflect changes in its configuration or operational status, ensuring continuous alignment with security policies and system requirements. This approach enhances trust in device interactions and supports robust access control mechanisms.
7. A client compute device comprising: one or more processors; one or more storage devices including a plurality of instructions that, when executed by the one or more processors, cause the client compute device to: send device attribute information to an enterprise policy server, the device attribute information indicative of a hardware component of the client compute device or a software environment of the client compute device; access an enterprise application received from the enterprise policy server, wherein the enterprise application is to access enterprise data; receive a security policy from the enterprise policy server, wherein the security policy includes a set of rules for control of behavior of the enterprise application; construct a secure container on the client compute device; add the enterprise application to the secure container; and configure the secure container to enforce the security policy while the enterprise application is executed on the client compute device.
This invention relates to secure enterprise application management on client compute devices. The problem addressed is ensuring secure access to enterprise data by applications running on potentially untrusted client devices, such as employee-owned or personal devices. The solution involves a client compute device with processors and storage that executes instructions to manage enterprise applications securely. The device sends hardware and software attribute information to an enterprise policy server, which uses this data to determine appropriate security policies. The device then receives an enterprise application and a corresponding security policy from the server. The security policy contains rules governing the application's behavior, such as data access restrictions or execution constraints. The device constructs a secure container—a controlled execution environment—and adds the enterprise application to it. The container enforces the security policy during application execution, ensuring that the application adheres to enterprise security requirements while accessing enterprise data. This approach isolates the application from the rest of the device, mitigating risks from untrusted environments. The system dynamically adapts security policies based on device attributes, enabling flexible yet secure enterprise application deployment.
8. The client compute device of claim 7 , wherein the device attribute information includes an indication of whether a user of the client compute device has root access to the client compute device.
A system for managing client compute devices in a networked environment addresses the challenge of securely and efficiently monitoring device attributes to enforce security policies. The system includes a client compute device configured to collect and transmit device attribute information to a server. This information includes hardware and software configurations, network connectivity details, and security settings. A key aspect of the system is the inclusion of an indication of whether the user of the client compute device has root access, which is a critical security attribute. The server receives this information and evaluates it against predefined security policies to determine compliance. If a device violates these policies, the server can trigger remediation actions, such as restricting access or notifying administrators. The system ensures that devices with elevated privileges, like root access, are properly monitored and controlled to prevent unauthorized changes or security breaches. By continuously assessing device attributes, the system enhances overall network security and compliance.
9. The client compute device of claim 7 , further including a security processor, wherein the security processor is a trusted hardware component.
A client compute device includes a security processor that is a trusted hardware component. The device is designed to enhance security in computing environments, particularly where sensitive data or operations are involved. The security processor is a dedicated hardware module that performs security-related functions, such as cryptographic operations, secure boot processes, or authentication tasks, to protect the device and its data from unauthorized access or tampering. This trusted hardware component operates independently of the main processing unit, ensuring that security operations are isolated and resistant to software-based attacks. The device may also include a main processor for general computing tasks, and the security processor works in conjunction with it to enforce security policies and manage secure communications. The trusted hardware component may be implemented as a separate chip or integrated into the main processor, depending on the design requirements. This approach improves overall system security by offloading sensitive operations to a dedicated, tamper-resistant hardware module, reducing the risk of compromise through software vulnerabilities. The device is particularly useful in environments where data integrity and confidentiality are critical, such as financial transactions, healthcare systems, or enterprise networks.
10. The client compute device of claim 7 , wherein the instructions, when executed, cause the client compute device to disallow cut and paste for the enterprise application in order to enforce the security policy.
This invention relates to client compute devices configured to enforce security policies for enterprise applications. The problem addressed is the risk of unauthorized data transfer through cut-and-paste operations, which can bypass traditional security controls and expose sensitive enterprise data. The solution involves a client compute device that includes a processor and memory storing instructions. When executed, these instructions cause the device to monitor and restrict cut-and-paste functionality specifically for enterprise applications, ensuring compliance with predefined security policies. The device may also include a display for presenting the enterprise application and a network interface for communicating with a server. The security policy enforcement mechanism may involve detecting cut-and-paste attempts and blocking them if they violate the policy, such as transferring data to unauthorized applications or external destinations. This approach enhances data protection by preventing common vectors for data exfiltration while allowing legitimate use of the enterprise application. The invention is particularly useful in environments where strict data governance is required, such as financial institutions or healthcare organizations.
11. The client compute device of claim 7 , wherein the set of rules for control of behavior of the enterprise application include a rule indicating whether to allow access to one or more network connections.
This invention relates to client compute devices managing enterprise application behavior through configurable rules. The problem addressed is ensuring secure and controlled access to network resources by enterprise applications running on client devices, preventing unauthorized or risky network connections. The client compute device includes a rules engine that enforces a set of rules governing the behavior of enterprise applications. These rules determine whether the applications are permitted to access specific network connections. The rules may be dynamically updated or modified to adapt to changing security policies or network conditions. The device also includes a monitoring component that tracks application behavior and enforces the rules in real-time, blocking or allowing network access based on the predefined criteria. This ensures that enterprise applications operate within approved parameters, reducing security risks and maintaining compliance with organizational policies. The system may also include logging and reporting features to document access attempts and rule enforcement actions for auditing purposes. The rules can be centrally managed and distributed to multiple client devices, ensuring consistent enforcement across an enterprise environment. This approach enhances security by preventing unauthorized network access while allowing legitimate application functionality.
12. The client compute device of claim 7 , wherein the device attribute information includes a device-specific unique identifier.
A client compute device is configured to securely manage and transmit device attribute information to a server for authentication and authorization purposes. The device attribute information includes a device-specific unique identifier, which allows the server to uniquely identify and authenticate the client device. This unique identifier can be used to distinguish the device from others in a network, ensuring secure communication and access control. The client device may also include additional device attributes such as hardware specifications, software versions, or security credentials, which further enhance the authentication process. The server uses this information to verify the device's legitimacy and grant appropriate access rights. This system improves security by preventing unauthorized access and ensuring that only trusted devices can interact with the server. The unique identifier ensures that each device is individually recognized, reducing the risk of impersonation or spoofing attacks. The client device may also include mechanisms to securely store and transmit this attribute information, such as encryption or digital signatures, to protect against tampering or interception. This approach is particularly useful in environments where device authentication is critical, such as enterprise networks, IoT systems, or cloud computing platforms. The unique identifier and other device attributes enable robust authentication, ensuring that only authorized devices can access sensitive resources or services.
13. One or more data storage devices comprising a plurality of instructions that, when executed by one or more processors of a client compute device, cause the client compute device to: send device attribute information to an enterprise policy server, the device attribute information indicative of a hardware component of the client compute device or a software environment of the client compute device; access an enterprise application received from the enterprise policy server, wherein the enterprise application is to access enterprise data; receive a security policy from the enterprise policy server, wherein the security policy includes a set of rules for control of behavior of the enterprise application; construct a secure container on the client compute device; add the enterprise application to the secure container; and configure the secure container to enforce the security policy while the enterprise application is executed on the client compute device.
This invention relates to enterprise security for client compute devices, addressing the challenge of protecting enterprise data accessed by applications on potentially untrusted devices. The system involves a client compute device that communicates with an enterprise policy server to enforce security policies on enterprise applications. The client device sends hardware and software attribute information to the server, which then provides an enterprise application and a security policy. The security policy defines rules for controlling the application's behavior. The client device constructs a secure container, adds the enterprise application to it, and configures the container to enforce the security policy during execution. This ensures that enterprise data accessed by the application remains protected according to predefined rules, even on devices outside the enterprise's direct control. The secure container isolates the application, preventing unauthorized access or misuse of enterprise data. The system dynamically adapts security measures based on device attributes, ensuring consistent protection across diverse client environments.
14. The one or more data storage devices of claim 13 , wherein the device attribute information includes an indication of whether a user of the client compute device has root access to the client compute device.
This invention relates to systems for managing and securing client compute devices in a networked environment. The problem addressed is the need to efficiently track and control device attributes, particularly security-related attributes, across multiple client devices to enhance system security and compliance. The system includes one or more data storage devices that store device attribute information for client compute devices. This attribute information includes details such as device identifiers, network configurations, and security settings. A key aspect is the inclusion of an indication of whether a user of the client compute device has root access, which is a critical security attribute. Root access allows unrestricted control over a device, and tracking this status helps enforce security policies and detect potential breaches. The system also includes a management server that retrieves and processes this attribute information to monitor device compliance and security posture. The management server may compare stored attribute data against predefined policies to identify deviations or risks. For example, if a device with root access is detected in an unauthorized state, the system can trigger alerts or remediation actions. Additionally, the system may include a client agent installed on the client compute devices to collect and report attribute information to the management server. This ensures real-time or near-real-time updates to the stored data. The system may also support automated actions, such as restricting network access or revoking permissions, based on the evaluated attribute information. By centralizing and analyzing device attributes, including root access status, the system improves security monitoring, policy enforcement, and incident response
15. The one or more data storage devices of claim 13 , wherein the enforcing of the security policy includes disallowing cut and paste for the enterprise application.
This invention relates to data security in enterprise applications, specifically addressing the risk of unauthorized data transfer through cut-and-paste operations. Many enterprise applications handle sensitive data, but traditional security measures often fail to prevent users from copying and pasting information between applications, potentially exposing confidential data. The invention provides a system that enforces security policies to restrict cut-and-paste functionality within enterprise applications, ensuring that sensitive data remains protected. The system includes one or more data storage devices that store security policies defining which operations are permitted or restricted. When a user attempts to perform a cut-and-paste operation, the system checks the stored policies and blocks the action if it violates the security rules. This prevents unauthorized data transfer while allowing legitimate operations to proceed. The enforcement mechanism may involve monitoring clipboard access, intercepting system-level copy commands, or integrating with application-level security controls. By restricting cut-and-paste operations, the invention mitigates the risk of data leakage through common user actions, enhancing overall enterprise security.
16. The one or more data storage devices of claim 13 , wherein the set of rules for control of behavior of the enterprise application includes a rule indicating whether to allow access to one or more network connections.
This invention relates to enterprise application security, specifically controlling access to network connections based on predefined rules. The system involves a data storage device storing a set of rules that govern the behavior of an enterprise application. These rules include at least one rule that determines whether to permit or restrict access to one or more network connections. The enterprise application enforces these rules to manage network access, ensuring that only authorized connections are established. The system may also include a processor that executes instructions to apply these rules dynamically, adjusting access permissions based on the current state of the application or network. The rules can be configured to block, allow, or conditionally permit network connections based on factors such as user authentication, application state, or network policies. This approach enhances security by preventing unauthorized network access while maintaining flexibility in access control. The invention is part of a broader system that may include additional components for rule management, monitoring, and enforcement, ensuring comprehensive control over enterprise application behavior.
17. The one or more data storage devices of claim 13 , wherein the device attribute information includes a device-specific unique identifier.
A system for managing data storage devices includes one or more data storage devices configured to store data and a management module that monitors and controls the devices. The management module collects and processes device attribute information, which includes technical specifications, operational status, and performance metrics of the devices. This information is used to optimize storage operations, such as data allocation, load balancing, and maintenance scheduling. The system ensures efficient data storage and retrieval by dynamically adjusting device configurations based on the collected attributes. A key feature is the inclusion of a device-specific unique identifier within the device attribute information, enabling precise tracking and management of individual storage devices. This identifier allows the system to distinguish between devices, prevent conflicts, and maintain accurate records for troubleshooting and performance analysis. The unique identifier may be a serial number, MAC address, or other unique code assigned to each storage device. By integrating this identifier into the attribute data, the system enhances device identification and management capabilities, improving overall storage system reliability and performance.
18. A client compute device comprising: means for sending device attribute information to an enterprise policy server, the device attribute information indicative of a hardware component of the client compute device or a software environment of the client compute device; means for accessing an enterprise application received from the enterprise policy server, wherein the enterprise application is to access enterprise data; means for receiving a security policy from the enterprise policy server, wherein the security policy includes a set of rules for control of behavior of the enterprise application; means for constructing a secure container on the client compute device; means for adding the enterprise application to the secure container; and means for enforcing the security policy while the enterprise application is executed on the client compute device.
This invention relates to enterprise security for client compute devices, addressing the challenge of protecting enterprise data accessed by applications on untrusted or diverse client devices. The system involves a client compute device that sends device attribute information to an enterprise policy server, where the attributes describe hardware components or software environments of the device. The enterprise policy server provides an enterprise application and a security policy to the client device. The security policy contains rules governing the application's behavior. The client device constructs a secure container, adds the enterprise application to it, and enforces the security policy during execution. This ensures that enterprise data accessed by the application remains protected, even on potentially untrusted devices. The secure container isolates the application and its data, while the security policy controls access, data sharing, and other behaviors to prevent unauthorized actions. The system enables secure enterprise application deployment on diverse client devices while maintaining control over data access and application behavior.
19. The client compute device of claim 18 , wherein the device attribute information includes an indication of whether a user of the client compute device has root access to the client compute device.
This invention relates to client compute devices and methods for managing device attributes, particularly in systems where security and access control are critical. The technology addresses the challenge of ensuring secure and efficient management of device attributes, including user access privileges, to prevent unauthorized modifications or breaches. The client compute device includes a processor and memory storing instructions that, when executed, perform operations to manage device attributes. These attributes include information about the device's configuration, capabilities, and user permissions. Specifically, the device attribute information indicates whether a user has root access, which is a high-level administrative privilege that allows full control over the system. By tracking this attribute, the system can enforce security policies, restrict unauthorized access, and maintain compliance with organizational or regulatory requirements. The device may also include a communication interface to transmit the device attribute information to a remote server or another system component. This enables centralized monitoring and management of multiple devices, allowing administrators to assess security risks and apply updates or restrictions as needed. The system may further include a display for presenting the device attribute information to users or administrators, facilitating transparency and control. By integrating root access verification into device attribute management, the invention enhances security by preventing unauthorized administrative actions and ensuring that only authorized users can modify critical system settings. This approach is particularly useful in enterprise environments where maintaining strict access control is essential for protecting sen
20. The client compute device of claim 18 , further including a security processor, wherein the security processor is a trusted hardware component.
A client compute device includes a security processor that is a trusted hardware component. The device is designed to enhance security in computing environments where sensitive data or operations are involved. The security processor operates as a dedicated hardware module that performs security-related functions independently of the main processing unit. This isolation ensures that security operations are protected from potential vulnerabilities in the main system, such as software-based attacks or compromised firmware. The security processor may handle tasks like secure authentication, encryption, decryption, and key management, ensuring that these operations are performed in a trusted environment. By integrating a trusted hardware component, the device provides a higher level of security for sensitive operations, reducing the risk of unauthorized access or tampering. This approach is particularly useful in environments where data integrity and confidentiality are critical, such as financial transactions, healthcare systems, or enterprise networks. The security processor may also enforce security policies, validate digital signatures, and manage secure boot processes, further strengthening the device's overall security posture. The trusted hardware component operates in a secure enclave, ensuring that even if other parts of the system are compromised, the security processor remains resilient. This design is applicable to various computing devices, including personal computers, servers, and mobile devices, where enhanced security is required.
21. The client compute device of claim 18 , wherein the means for enforcing the security policy includes means for disallowing cut and paste for the enterprise application.
This invention relates to client compute devices with enhanced security features for enterprise applications. The problem addressed is the risk of unauthorized data transfer or leakage through common user actions like cut and paste operations within enterprise environments. The invention provides a client compute device with a security policy enforcement mechanism that specifically restricts cut and paste functionality for enterprise applications. This prevents users from copying sensitive enterprise data and pasting it into unauthorized applications or external systems. The device includes a security policy module that defines and enforces these restrictions, ensuring that data remains within approved enterprise boundaries. The enforcement mechanism may involve monitoring clipboard access, intercepting cut and paste commands, or blocking interactions between enterprise applications and non-enterprise applications. This solution enhances data protection by reducing the risk of accidental or intentional data exfiltration through basic user operations. The invention is particularly useful in environments where strict data governance is required, such as financial institutions, healthcare providers, or government agencies handling classified information. By controlling cut and paste operations, the device helps maintain compliance with regulatory requirements and internal security policies.
22. The client compute device of claim 18 , wherein the set of rules for control of behavior of the enterprise application includes a rule indicating whether to allow access to one or more network connections.
This invention relates to client compute devices configured to manage enterprise application behavior through a set of rules. The technology addresses the challenge of controlling application access to network connections in enterprise environments, where unauthorized or excessive network usage can pose security and performance risks. The client compute device includes a rule-based system that governs the behavior of enterprise applications, with specific rules determining whether to permit or restrict access to network connections. These rules can be dynamically adjusted to enforce security policies, optimize bandwidth usage, or comply with regulatory requirements. The system may also include mechanisms to monitor and log network access attempts, providing visibility into application behavior and potential security threats. By implementing these controls, the invention ensures that enterprise applications operate within defined parameters, reducing the risk of data breaches, unauthorized data transfers, or network congestion. The solution is particularly useful in environments where multiple applications share network resources, requiring fine-grained control over their network interactions.
23. The client compute device of claim 18 , wherein the device attribute information includes a device-specific unique identifier.
A system and method for managing client compute devices in a networked environment addresses the challenge of securely and efficiently identifying and authenticating devices within a distributed computing infrastructure. The system includes a client compute device configured to generate and transmit device attribute information to a server. This attribute information includes a device-specific unique identifier, which enables the server to authenticate the device and authorize access to network resources. The unique identifier ensures that each device can be distinctly recognized, preventing unauthorized access and enhancing security. The client compute device may also collect additional attributes such as hardware specifications, software versions, and network configurations, which are used for device management, monitoring, and troubleshooting. The server processes this information to enforce security policies, allocate resources, and maintain an up-to-date inventory of connected devices. This approach improves device management efficiency, reduces administrative overhead, and strengthens security by ensuring only authorized devices can access the network. The system is particularly useful in enterprise environments where multiple devices must be securely managed and monitored.
Cooperative Patent Classification codes for this invention. Click any code to explore related patents in that topic.
September 11, 2019
February 15, 2022
Browse 5M+ US patents with plain-English claim translations and AI-generated analysis.